Use btool to troubleshoot configurations

The Splunk Enterprise configuration file system supports many overlapping configuration files in many different locations. How these configuration files interact with and take precedence over one another is described in Configuration file precedence in the Admin Manual. This flexibility can make it hard to figure out exactly which configuration value Splunk Enterprise is using.

To help you out, Splunk provides btool. This is a command line tool that can help you troubleshoot configuration file issues or see what values are being used by your Splunk Enterprise installation.

Btool displays merged on-disk configurations. That is, btool shows you the merged settings in the .conf files. It does not necessarily show you what Splunk software is currently using. So for example if you edit a .conf file and do not restart (and the edit requires a restart), btool reports the newly edited settings rather than the settings that are currently being used. To view current in-memory configurations, query the REST endpoint /services/properties/.

Note:btool is not officially supported by Splunk. That said, it is what our Support team uses when trying to troubleshoot your issues.

You can run btool to see all the configuration values in use by your Splunk software instance.

From $SPLUNK_HOME/bin type:

./splunk cmd btool <conf_file_prefix> list

where <conf_file_prefix> is the name of the configuration file you're interested in (minus the .conf extension). The list literal specifies that you want to list the options.

For example, to see what settings transforms.conf is using, type:

./splunk cmd btool transforms list

You probably want to send the results of btool into a text file that you can peruse then delete, like this:

./splunk cmd btool transforms list > /tmp/transformsconfigs.txt

or if not to a file, at least pipe to grep like this:

./splunk cmd btool server list --debug | grep '\['

which determines which server.conf stanzas are being recognized.

Piping to a file is handy for all use cases of btool, but for simplicity we'll only explicitly mention it this once.

Investigate configuration values in one app

You can also run btool for a specific app in your Splunk instance. It lists all the configuration values in use by that app for a given configuration file.

To run btool, go to $SPLUNK_HOME/bin and type:

./splunk cmd btool --app=<app_name> <conf_file_prefix> list

where <app_name> is the name of the app you want to see the configurations for.

For example, if you want to know what configuration options are being used in props.conf by the Search app, type:

./splunk cmd btool --app=search props list

This returns a list of the props.conf settings currently being used for the Search app.

The app name is not required. In fact, it is often a good idea not to specify the app when using btool. In the case of btool, insight into all of your configurations can be helpful.

Learn where configuration values come from

Another thing you can do with btool is find out from which specific app Splunk is pulling its configuration parameters for a given configuration file. To do this, add the --debug flag to btool like in this example for props.conf:

Comments

Maybe I'm missing it, but how would one use btool with the meta conf files (default.meta and local.meta)?<br />./splunk btool [???] list

SloshBurch

November 5, 2014

This tool is quite handy. Another thing that I observed is the btool picks up the config from the physical files, what would also be useful is to pick the config from the app context to know what the app is really using. This especially works when some one has gone and changed the config and did not do a restart.

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

Feedback submitted, thanks!

You must be logged into splunk.com in order to post comments.
Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic.
If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk,
consider posting a question to Splunkbase Answers.

0
out of 1000 Characters

Your Comment Has Been Posted Above

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website.
Learn more (including how to update your settings) here »